23andMe Data Breach Settlement: $46.75M Approved (2026)

23andMe Data Breach Settlement: $46.75 Million Approved for Distribution to Breach Victims

On June 11, 2026, the plan administrator in the Chapter 11 bankruptcy of 23andMe's successor entity recommended that a $46.75 million settlement fund be distributed to victims of the company's 2023 genetic-data breach, in proceedings before the U.S. Bankruptcy Court for the Eastern District of Missouri, Case No. 25-40976.

Information last verified on June 13, 2026. This is a developing story; we update it as the record changes.

Jurisdiction and scope: This settlement is before a federal bankruptcy court in the Eastern District of Missouri and covers a nationwide class of U.S. consumers. The proceedings described here are general legal news. This article is general information only and does not constitute legal advice.

What Happened

In March 2025, 23andMe Holding Co. filed for Chapter 11 bankruptcy protection. The company's operating assets were subsequently sold for approximately $305 million to TTAM Research Institute, a nonprofit public benefit corporation led by co-founder Anne Wojcicki, with the sale receiving court approval in late June 2025 and closing in mid-July 2025. The remaining debtor entity was renamed Chrome Holding Co.

Folded into the bankruptcy estate were consolidated consumer class-action claims stemming from a 2023 data breach. The U.S. Bankruptcy Court for the Eastern District of Missouri, presided over by Judge Brian C. Walsh, authorized a settlement cap of $50 million in January 2026 to resolve those claims.

On June 11, 2026, the plan administrator filed a notice in Case No. 25-40976 recommending that $46.75 million be approved for distribution. A June 10 filing noted that 255,860 or more claims had been resolved, while thousands of claims remained unresolved. Kroll serves as the settlement and claims administrator. The $46.75 million total includes approximately $14.29 million already disbursed to Kroll for administration costs, with roughly $32.46 million in additional claimant distributions remaining. Reporting on the distribution describes payouts ranging from roughly $50 for standard claims to $10,000 for claimants who can document extraordinary harm such as identity theft; residents of states with genetic-privacy statutes, including California, Illinois, Alaska, and Oregon, may be eligible for fixed statutory payments. As of June 13, 2026, the filing represents the administrator's recommendation; the ultimate distribution requires court approval.

What the Law Actually Says

The 23andMe breach sits at the intersection of two bodies of California law that treat genetic data as among the most sensitive categories of personal information.

Breach notification obligations. California's data-breach notification statute, Cal. Civ. Code section 1798.82, requires businesses that own or license computerized data containing personal information of California residents to notify affected individuals in the event of a security breach. California amended the definition of personal information to add genetic data to the categories that trigger mandatory notice obligations. That meant 23andMe's breach implicated formal notification duties under state law. For the details of one state's regime, see our guide to California's data breach notification law.

Genetic data protection. California's Genetic Information Privacy Act (GIPA), codified at Cal. Civ. Code section 56.18 and enacted as Senate Bill 41 (effective January 1, 2022), imposes specific consent and security requirements on direct-to-consumer genetic testing companies. GIPA requires express consumer consent before collection and disclosure of genetic data and mandates reasonable security practices. It is enforced by the California Attorney General and local prosecutors rather than through a direct private right of action; civil penalties of up to $10,000 per willful violation are paid to the affected individual but must be pursued by a government actor. The 23andMe incident illustrates precisely the risk that GIPA's drafters sought to address: genetic data, once exposed, cannot be changed and carries permanent privacy implications. For a broader look at how states treat biometric and genetic data as sensitive information, the legal landscape varies considerably by jurisdiction.

Bankruptcy does not extinguish consumer breach claims. A core principle illustrated by this case is that consumers who hold tort or privacy claims against a bankrupt company do not simply lose those claims when the debtor files for protection. Instead, their claims are treated as unsecured obligations against the bankruptcy estate and are resolved through the plan of reorganization or liquidation. Here, the consumer class claims were transferred into the estate and resolved through the structured settlement fund rather than through individual litigation. The data broker and data-sharing regulatory framework is still catching up to these cascading-exposure risks.

Analysis: Why This Matters

The following is analysis from the Recording Law Editorial Team.

The 23andMe settlement is notable for several reasons that extend beyond the dollar figures.

First, it establishes a concrete example of genetic-data breach liability being resolved through the bankruptcy process at a meaningful scale. The $46.75 million figure, covering roughly 7 million affected consumers, works out to a relatively modest per-person amount for most claimants. That reflects both the realities of mass-tort settlements and the financial constraints of a bankrupt estate, not a statement about the severity of the privacy harm.

Second, the case demonstrates that California's GIPA and expanded breach-notification statutes are not merely aspirational. The consolidated class action that preceded the bankruptcy filing cited these statutes, and their existence shaped the litigation posture and the settlement value. Companies that collect genetic or biometric data should treat those statutes as creating enforceable obligations, not just regulatory guidance.

Third, this settlement is distinct from California's separate enforcement action. The California Attorney General filed an independent enforcement suit against 23andMe under state privacy law. That case, covered in our article on the California AG's 23andMe enforcement action, proceeds on a different legal theory and timeline. Readers should not treat the two matters as interchangeable: the bankruptcy distribution resolves private consumer class claims; the AG action is a government enforcement matter.

Fourth, the structure of the breach itself merits attention. The credential-stuffing campaign, which 23andMe disclosed in October 2023, directly compromised roughly 14,000 accounts. The amplification to approximately 6.9 million people resulted from profile-sharing features: about 5.5 million through the DNA Relatives feature and about 1.4 million through Family Tree, exposing the shared profile information of genetic relatives who had no idea their data was at risk. This is a design-liability question that courts and regulators are increasingly scrutinizing in the context of social and genomic platforms.

How This Affects You

If you were a 23andMe customer whose data was exposed in the 2023 breach, the following general information may help orient you. It is not individualized legal advice.

How class members learn of eligibility. In large class-action and bankruptcy settlements, eligible claimants typically receive notice via email or first-class mail using contact information on file with the debtor or claims administrator. If you believe you were affected and have not received notice, Kroll's restructuring administration portal for this case is the official resource for case documents and deadlines.

What a settlement fund distribution means. A settlement fund distribution is not a judgment that any individual was wronged. It is a negotiated resolution in which the estate agrees to pay a defined pool in exchange for releasing covered claims. Claimants who submitted valid claims are evaluated against the settlement criteria; the payout amount reflects the claim tier (standard or extraordinary) and the pro-rata share of the available fund after administrative costs.

Timing. Thousands of claims remained unresolved as of the June 10, 2026 filing. Final distributions depend on the court approving the administrator's recommendation and the resolution of pending claims. There is no publicly stated final distribution date as of June 13, 2026.

No action needed if you already filed. If you submitted a claim before the applicable deadline, you do not need to refile. Monitor communications from Kroll or the official settlement website for updates.

This is general legal information, not legal advice. This article covers federal bankruptcy proceedings in the Eastern District of Missouri (Case No. 25-40976) and applicable California genetic-data privacy statutes (Cal. Civ. Code sections 1798.82 and 56.18) as they relate to a nationwide consumer data breach. Information was verified as of June 13, 2026. This is a developing story; facts may change as the court acts on the administrator's recommendation. Nothing in this article creates an attorney-client relationship or constitutes advice about your specific legal situation. Consult a lawyer licensed in your jurisdiction for advice about your individual circumstances.

Related articles

• California AG's Separate 23andMe Enforcement Action
• California Data Breach Notification Law
• Biometric and Genetic Data Privacy Laws

---

Last updated: 2026-06-13. This is a developing story; details verified as of 2026-06-13.